Bug 240055 (CVE-2007-2645)
Summary: | CVE-2007-2645 Interger overflow in libexif | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | mclasen | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.frsirt.com/english/advisories/2007/1761 | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2008-01-15 17:11:29 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Lubomir Kundrak
2007-05-14 17:56:50 UTC
The problem results in possible overflow in memcpy() call, so should be caught by _FORTIFY_SOURCE=2, therefore mitigating the possible arbitrary code execution to just a crash. Created attachment 154677 [details]
Reproducer for libexif integer overflow
I was unable to reproduce it with this both on a 32 and 64 bit systems with
gimp, gphoto2 and nautilus.
# repoquery --whatrequires --alldeps libexif gphoto2-0:2.2.0-2.1.i386 tracker-0:0.5.4-5.fc6.x86_64 libexif-0:0.6.13-2.x86_64 nautilus-0:2.16.2-7.fc6.x86_64 xsane-gimp-0:0.994-2.fc6.x86_64 fbida-0:2.06-3.fc6.x86_64 libkexif-0:0.2.4-3.fc6.x86_64 gnome-screensaver-0:2.16.1-4.fc6.x86_64 gphoto2-0:2.3.1-3.fc6.x86_64 gimp-2:2.2.13-1.fc6.x86_64 Thunar-0:0.8.0-1.fc6.x86_64 showimg-0:0.9.5-12.fc6.x86_64 gphoto2-0:2.3.1-3.fc6.i386 nautilus-0:2.16.0-5.fc6.x86_64 ufraw-gimp-0:0.11-3.fc6.x86_64 ufraw-0:0.11-3.fc6.x86_64 gimp-2:2.2.14-5.fc6.x86_64 gnome-commander-0:1.2.3-5.fc6.x86_64 eog-0:2.16.3-1.fc6.x86_64 libexif-0:0.6.13-2.i386 gphoto2-0:2.2.0-2.1.x86_64 libexif-devel-0:0.6.13-2.x86_64 gthumb-0:2.7.8-3.fc6.x86_64 eog-0:2.16.0.1-2.fc6.x86_64 libexif-devel-0:0.6.13-2.i386 koffice-krita-0:1.6.2-3.fc6.1.x86_64 tracker-0:0.5.4-4.fc6.x86_64 xsane-0:0.994-2.fc6.x86_64 gnome-screensaver-0:2.16.0-7.fc6.x86_64 # No other similar issues were found and fixed in the release, according to output of cvs diff -D20070510 -rlibexif-0_6_14-release Created attachment 154678 [details]
Fix for libexif integer overflow
Extracted from upstream CVS.
Applies against FC-5, FC-6, RHEL-4, RHEL-5
Created attachment 155358 [details]
Minimal testcase, currently segfaults
This flaw will not be caught by _FORTIFY_SOURCE=2 See this message: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html This usage of memcpy is as such: /* 4) Not known if correct, not checkable at runtime. The compiler doesn't know the buffer size, no checking is done. Overflows will go undetected in these cases. */ This flaw is not exploitable to be anything other than a crash. The problem is that the code execute this line: memcpy (entry->data, d + doff, s); As we can from gdb: (gdb) print entry->data $8 = (unsigned char *) 0x8eca498 "" (gdb) print d $9 = (const unsigned char *) 0x8eca1c6 "MM" (gdb) print doff $10 = 4294901874 (gdb) print s $11 = 65535 (gdb) print d+doff $12 = (const unsigned char *) 0x8eba238 <Address 0x8eba238 out of bounds> d+doff is an OOB memory address, which means this bug crashes due to a bad read, which cannot be exploited. NVD statment for this issue has been published: Red Hat does not consider this flaw to have security consequences. Fedora packages were update to fixed upstream version, which among other fixes introduced fix for this issue: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0003 |